Digital payment security: Trends for 2025
GM Sectec’s Oswaldo Silva delves into new Payment Card Industry Data Security Standard controls.
Looking ahead to 2025, the world continues to embrace digitalization across multiple industries, and the financial sector is no exception. Digital payments, once considered an emerging technology, have become a staple of the global economy.
According to Statista, global e-commerce sales reached an estimated $5.8 trillion in 2023. Projections indicate a 39% growth in this figure in the coming years, with expectations to exceed $8 trillion by 2027.
However, cybercrime is simplifying its operations, and its consequences will become more far-reaching by leveraging artificial intelligence, the adoption of new digital payment systems and the emergence of new fraud tactics.
That’s why protecting payment card information is essential in today’s digital world. The Payment Card Industry Data Security Standard (PCI DSS), which was created in 2004, is a vital framework designed to protect against cyberthreats. Organizations that store, process or transmit cardholder data must comply with this standard.
The PCI DSS establishes a basic level of security for credit, cash and debit card transactions and protects account holder information.
The standard has undergone several updates to adapt to the changing threat landscape. The current version, PCI DSS v4.0, which came into effect in April 2024, was updated to PCI DSS v4.0.1 in June 2024, clarifying the focus and intent of some of the requirements and guidance. Compliance with this security standard is not optional, but the specific parts of the standard that must be met depend on how transactions are processed.
New PCI DSS controls applicable starting April 2025
The update to version 4. X includes 53 controls that will be mandatory from April 2025 and involve a more complex implementation than the controls that were immediately applicable.
Among the most important controls are:
- SAD (Sensitive Authentication Data) encryption, including CVV (Card Verification Value) while the operation is authorized.
- Technical controls to prevent the PAN [MS1] [MS2] (Primary Account Number) from being copied while using remote access technologies.
- TRAs (Targeted Risk Analysis) to define the periodicity of some controls.
- Malware scanning on removable mechanisms.
- Mechanisms for managing and securing payment scripts.
- Authenticated internal scans.
- Monitoring of scripts on payment pages.
A key control to understand the evolution of PCI is the use of Focused Risk Analysis (TRA), where to define the periodicity of certain controls, it is necessary to justify it with a specific risk analysis of said control and the assets it applies to.
AI will still be trending in 2025, and for PCI, it is no exception, so many controls of the card payment standard can be assisted by AI, such as Code Cross-Review, where AI can be used to generate secure code recommendations. Similarly, tools can use AI to generate Inventory and monitor Payment Scripts.
Another important change for 2025 is the responsibility of companies to identify and monitor their PCI scope, using tools that allow correct data discovery so that they can demonstrate the correct definition of their CDE (Card Data Environment).
In 2025, cybersecurity will continue to evolve, adapting to new threats and attack methods, which is why compliance with the PCI DSS standard is essential to continue protecting cardholder data, maintain their trust and safeguard their information.
Author Oswaldo Silva is vice president of Operations for GM Sectec Mexico.
